Be Prepared for Computer Forensics

The science of finding, gathering, analyzing and documenting any sort of evidence is typically defined as 'forensics.' That discipline has branched off into a new specialty, that of 'computer forensics.' Network managers and corporate security teams don't need to be dedicated computer forensics specialists, but they do need to be at least acquainted with the edges of this discipline in order to effectively interact with law enforcement officials at the 'scene' of a computer crime. Oliver Rist reports.

Congress, the FBI and even larger metropolitan police departments are devoting significant specialized resources towards investigating all types of cyber-crime. That's good news not only for corporations, but network managers as well since at least the bad guys now have some consequences to worry about. But along with new power always comes new responsibility, and it can't be all up to the cops. Network managers and network security teams will need to be prepared for interaction with cyber-law enforcement. This practice is called computer forensics, and it's a discipline with which no network manager should be unfamiliar, mainly because it may come knocking at your door regardless of whether you want it to or not.

This is an important additional consequence of the new attention being paid to cyber-crime by law enforcement. Companies may no longer have a choice as to whether or not to involve law enforcement. If a hacker compromises a large e-commerce site, for instance, and steals a load of credit card numbers, the compromised company is now obligated to involve law enforcement simply to offer some measure of protection to its customers. Since outside investigators are primarily concerned with collecting and handling evidence and not the smooth continued operation of your network, network administrators need to know what to expect from such an investigation even if it's just to keep things running during the investigation.

Basic Practices & Definitions
The science of finding, gathering, analyzing and documenting any sort of evidence is typically defined as 'forensics.' For cyber-victims, that discipline has branched off into a new specialty, that of 'computer forensics.' Corporate security teams and network managers don't need to be dedicated computer forensics specialists, but they do need to be at least acquainted with the edges of this discipline in order to effectively interact with law enforcement officials at the 'scene' of a computer crime.

This is largely due to the transient nature of cyber-related evidence. The fleeting nature of any kind of electronic data is such that its preservation, especially for legal proceedings, requires well-defined and documented procedures. Thus, even with as relatively recent a specialty as this, a standard methodology already exists; actually quite a simple one that can be broken down into three key elements:

Acquire the evidence;

Document the evidence;

Analyze the evidence.

For corporate security specialists and network managers, steps one and two are certainly the most important when you know you'll be dealing with a law enforcement investigation. But, while step 3 requires the most specialized expertise, it's also useful for network managers to delve into, not only because that knowledge will help with steps one and two, but also because it can also assist with your day-to-day network management tedium, too.

But while analyzing computer forensic evidence might be the more interesting part of cyber investigation, acquiring the evidence can certainly be the trickiest. That's because law enforcement often requires first-hand evidence, not simply log reports. Finding the evidence is often not nearly as difficult as maintaining it, especially true in cases where some form of malevolent code has been deposited on one or more machines on the network.

For network managers, then, this means devising means to secure machines that have become compromised. The optimal state of security is simply to freeze a compromised machine until the proper authorities can examine it. This becomes tricky, however, if the compromised machine is, for example, an important server. Systems administrators will need to determine first whether the system has been compromised (but without destroying important evidence), then determine whether its backup has been compromised, and finally isolate the infected machine from the network (and activate a backup system) without shutting it down.

There are a number of forensic software tools that can aid in determining compromised systems and their state. But sometimes you're not simply looking for malevolent code; you may be investigating whether a user's workstation has been used for illegal purposes. This can be exceptionally delicate for a number of reasons. First, you don't want it to look as though your company bungled the investigation and destroyed valuable evidence; second, you don't want to give a future defense attorney any loopholes; and, third, you may not want to tip off the suspect prior to the arrival of law enforcement investigators.

What this really means is think ahead. Windows 2000 network administrators, for example, need to examine their network resources with an eye towards criminal behavior and response. Take Win2K's encrypted file system (EFS) resource. Left unchecked, this is a powerful tool for not only external hackers, but internal criminals as well. If an outside hacker manages to log into a workstation as that workstation's primary user, then all EFS files are automatically readable -- by default no additional password or authentication process is required.

Internally, EFS cannot be used unless the system names a key recovery authority. Typically this is a dedicated network administrator -- but network administrators need to be especially careful about who gets appointed to this role as he or she has exceptional power when it comes to reading sensitive corporate information. Smart users can also dictate that recovery keys be exported off the system, which will require the recovery administrator to insert an appropriate floppy or CD containing the key in order to access encrypted files. Without it, you're helpless.

Surreptitious investigation of a suspected user's workstation is also tricky with regards to EFS because encrypted files will generally be readable only when that user is logged into the machine. Should anything interfere with that session -- a power failure, a password-equipped screen saver, or the user logging out -- then EFS files may be locked up forever. Similarly, yanking a user off his machine and pulling the plug on the box may also result in the entire hard disk becoming encrypted (a popular booby trap) and the contents becoming useless. A smart move here might be to access Microsoft's Management Console first and creating a backup key recovery certificate. That way, even if the files are copied to another system they'll still be accessible.

Obviously, EFS is only one possible variable in a cyber-crime scenario -- and then only a Windows 2000-based scenario. Unix, OS X, Linux and even handheld OSes all have their own quirks in this regard and the relatively recent birth of computer forensics really hasn't caught up as yet. That means there are no hard and fast procedures that will cover every contingency under any operating system. Network and systems administrators simply need to become as educated as possible about all the resources on their networks and then implement their own response plans to criminal incidents.

In the conclusion of this two-part article, we'll look at what it takes to set up your response plan,evidence handling and documaentation, and forensic tools and intrusion detection.

--Oliver Ristis a technology journalist and vice president of technology at AIC Inc. Additionally, he is former technology editor of InternetWeek and expert in the Microsoft Windows and BackOffice product family.